Python: More HTTP request handler *args/**kwargs modeling

I looked through all `override Parameter getARoutedParameter() {` in our codebase, and we now modeling *args/**kwargs for all of them 👍
2026-04-25 08:45:14 +02:00 · 2023-11-21 13:54:02 +01:00
parent 37d03ee0f3
commit a0867b4f66
3 changed files with 26 additions and 2 deletions
--- a/python/ql/lib/semmle/python/frameworks/FastApi.qll
+++ b/python/ql/lib/semmle/python/frameworks/FastApi.qll
@@ -66,6 +66,9 @@ private module FastApi {
      result = this.getARequestHandler().getArgByName(_) and
      // type-annotated with `Response`
      not any(Response::RequestHandlerParam src).asExpr() = result
+      or
+      // **kwargs
+      result = this.getARequestHandler().getKwarg()
    }

    override DataFlow::Node getUrlPatternArg() {
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -279,6 +279,9 @@ module Flask {
          name = match.regexpCapture(werkzeug_rule_re(), 4)
        )
      )
+      or
+      // **kwargs
+      result = this.getARequestHandler().getKwarg()
    }

    override string getFramework() { result = "Flask" }
@@ -347,6 +350,12 @@ module Flask {
      // more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
      result in [this.getArg(_), this.getArgByName(_)] and
      not result = this.getArg(0)
+      or
+      // *args
+      result = this.getVararg()
+      or
+      // **kwargs
+      result = this.getKwarg()
    }

    override string getFramework() { result = "Flask" }
--- a/python/ql/lib/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/lib/semmle/python/frameworks/Tornado.qll
@@ -416,7 +416,10 @@ module Tornado {
      // more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
      exists(Function requestHandler | requestHandler = this.getARequestHandler() |
        not exists(this.getUrlPattern()) and
-        result in [requestHandler.getArg(_), requestHandler.getArgByName(_)] and
+        result in [
+            requestHandler.getArg(_), requestHandler.getArgByName(_),
+            requestHandler.getVararg().(Parameter), requestHandler.getKwarg().(Parameter)
+          ] and
        not result = requestHandler.getArg(0)
      )
      or
@@ -429,6 +432,12 @@ module Tornado {
        result = requestHandler.getArg(regex.getGroupNumber(_, _))
        or
        result = requestHandler.getArgByName(regex.getGroupName(_, _))
+        or
+        exists(regex.getGroupNumber(_, _)) and
+        result = requestHandler.getVararg()
+        or
+        exists(regex.getGroupName(_, _)) and
+        result = requestHandler.getKwarg()
      )
    }
  }
@@ -446,7 +455,10 @@ module Tornado {
      // Since we don't know the URL pattern, we simply mark all parameters as a routed
      // parameter. This should give us more RemoteFlowSources but could also lead to
      // more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
-      result in [this.getArg(_), this.getArgByName(_)] and
+      result in [
+          this.getArg(_), this.getArgByName(_), this.getVararg().(Parameter),
+          this.getKwarg().(Parameter)
+        ] and
      not result = this.getArg(0)
    }